Who we are
Our website address is: https://practice-supervisors.rip.org.uk.
What personal data we collect and why we collect it
When visitors leave comments on the site we collect the data shown in the comments form, and also the visitor’s IP address and browser user agent string to help spam detection.
If you upload images to the website, you should avoid uploading images with embedded location data (EXIF GPS) included. Visitors to the website can download and extract any location data from images on the website.
Will we be using contact forms?
If you leave a comment on our site you may opt-in to saving your name, email address and website in cookies. These are for your convenience so that you do not have to fill in your details again when you leave another comment. These cookies will last for one year.
If you have an account and you log in to this site, we will set a temporary cookie to determine if your browser accepts cookies. This cookie contains no personal data and is discarded when you close your browser.
When you log in, we will also set up several cookies to save your login information and your screen display choices. Login cookies last for two days, and screen options cookies last for a year. If you select “Remember Me”, your login will persist for two weeks. If you log out of your account, the login cookies will be removed.
If you edit or publish an article, an additional cookie will be saved in your browser. This cookie includes no personal data and simply indicates the post ID of the article you just edited. It expires after 1 day.
Embedded content from other websites
Articles on this site may include embedded content (e.g. videos, images, articles, etc.). Embedded content from other websites behaves in the exact same way as if the visitor has visited the other website.
Who we share your data with
How long we retain your data
If you leave a comment, the comment and its metadata are retained indefinitely. This is so we can recognize and approve any follow-up comments automatically instead of holding them in a moderation queue.
For users that register on our website (if any), we also store the personal information they provide in their user profile. All users can see, edit, or delete their personal information at any time (except they cannot change their username). Website administrators can also see and edit that information.
What rights you have over your data
If you have an account on this site, or have left comments, you can request to receive an exported file of the personal data we hold about you, including any data you have provided to us. You can also request that we erase any personal data we hold about you. This does not include any data we are obliged to keep for administrative, legal, or security purposes.
Where we send your data
Visitor comments may be checked through an automated spam detection service.
How we protect your data
We have put in place appropriate security measures to prevent your personal information from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to your personal information to those employees, agents, contractors and other third parties who have a business need to know. They will only process your personal information on our instructions and they are subject to a duty of confidentiality.
We have put in place procedures to deal with any suspected data security breach and will notify you and any applicable regulator of a suspected breach where we are legally required to do so.
What data breach procedures we have in place
In the physical world
Our paper records are minimal but can include printed contracts, printed event information and other small sources of data used in day-to-day office activity. Personal data held on paper is digitised and the paper is destroyed as soon as possible.
We operate a clear desk policy, have a secure building, use a standard cross-shredder and use a regular secure document disposal service.
We use standard cloud servers for our technology, which can be in data centres in other locations apart from the UK. This will involve transferring your data outside the European Economic Area (EEA). Whenever we transfer your personal data out of the EEA, we ensure a similar degree of protection is afforded to it by ensuring at least one of the following safeguards is implemented:
- We will only transfer your personal data to countries that have been deemed to provide an adequate level of protection for personal data by the European Commission. For further details, see European Commission: Adequacy of the protection of personal data in non-EU countries.
- Where we use certain service providers, we may use specific contracts approved by the European Commission which give personal data the same protection it has in Europe. For further details, see European Commission: Model contracts for the transfer of personal data to third countries.
- Where we use providers based in the US, we may transfer data to them if they are part of the Privacy Shield which requires them to provide similar protection to personal data shared between the Europe and the US. For further details, see European Commission: EU-US Privacy Shield.
All websites (including CRM) are hosted on industry standard secure servers where access to personal data is encrypted behind authentication. Passwords for accessing the encrypted data are themselves encrypted and stored in the Dartington Hall Trust network behind a full network permissions set up by Dartington Hall Trust ICT.
User connection when accessing the website and CRM is encrypted through the appropriate use of certificates.
Ensure ongoing confidentiality, integrity, availability and resilience
All websites (including CRM) are backed up daily on a four-week rolling cycle. This permits availability to restore with minimal risk of data loss. Data is stored in industry standard databases with root admin security and are spread across multiple data centres in the EU and UK for full redundancy.
Restore in a timely manner after an incident
We have a procedure in place allowing for disaster recovery which includes ‘Major Critical Incident’ which permits continuity of the business with minimal data loss risk.
Testing the effectiveness of the security
Our web applications are occasionally subject to Penetration Testing by a consultant and issues are addressed.
Adherence to code of conduct
Employees are required to adhere to a Dartington Hall Trust code of conduct in relation to electronic systems. Our Staff have received training in General Data Protection Regulations.
Ensuring strict adherence from our contractors (third-party data processors)
We use approved contractors to build our websites (including CRM). These contractors are subject to strict rules about data access and handling and have access to our servers.
Where possible and practical, third-party contractors (processors) are guided by our staff directly and are subject to Non-Disclosure Agreements where personal data protection is concerned. Contractors are expected to run their own physical and technical security to a high standard and have full insurances. We have visited the offices of our contractors and are satisfied that they meet good standards of data security.
What third parties we receive data from
We work with third party data processors. These organisations help us to fulfil our obligations as a service provider and are themselves subject to their own policies as under law. These organisations include:
- Email services
MailChimp. The Rocket Science Group, LLC 675, Ponce de Leon Ave NE, Suite 5000, Atlanta, GA 30308 U.S.A.
- Online surveys
SmartSurvey Ltd. Basepoint Business Centre, Oakfield Close, Tewkesbury, Gloucestershire, GL20 8SD U.K.
William Pollard & Co Ltd. Oak House, Falcon Road, Exeter, Devon, EX2 7NU U.K.
- Video conferencing, hosting and webinars
Adobe Systems Europe Ltd. Market House Maidenhead SL6 8AG U.K.
Vimeo, Inc. 555 West 18th Street, New York, New York 10011 U.S.A.
- Website development and hosting technology
AB Multimedia Limited. Registered Office: 9 Richmond Road, Exeter, EX4 4JA U.K.
Mentor, 4 West End, Somerset St, Bristol, BS2 8NE
- Event Management (Commissions only). Arlo: Registered Office: 7 Ward St, Level 2, Lower Hutt 5010 New Zealand
Research in Practice reserves the right to change or add to any third-party processors used in providing our services. Changes will be noted in this policy.